This section describes how to configure Active/Standby failover using an Ethernet failover link. When configuring LAN-based failover, you must bootstrap the secondary device to recognize the failover link before the secondary device can obtain the running configuration from the primary device.
Note If you are changing from cable-based failover to LAN-based failover, you can skip any steps, such as assigning the active and standby IP addresses for each interface, that you completed for the cable-based failover configuration.
This section includes the following topics:
• Configuring the Primary Unit, page 11-18
• Configuring the Secondary Unit, page 11-20
Configuring the Primary Unit
Follow these steps to configure the primary unit in a LAN-based, Active/Standby failover configuration.
These steps provide the minimum configuration needed to enable failover on the primary unit. For multiple context mode, all steps are performed in the system execution space unless otherwise noted.
To configure the primary unit in an Active/Standby failover pair, perform the following steps:
Step 1 If you have not done so already, configure the active and standby IP addresses for each interface (routed mode) or for the management interface (transparent mode). The standby IP address is used on the security appliance that is currently the standby unit. It must be in the same subnet as the active IP address.
Note Do not configure an IP address for the failover link or for the Stateful Failover link if you are going to use a dedicated Stateful Failover link.
hostname(config-if)# ip address active_addr netmask standby standby_addr
Note In multiple context mode, you must configure the interface addresses from within each context.
Use the changeto context command to switch between contexts. The command prompt changes to hostname/context(config-if)#, where context is the name of the current context.
Step 2 (PIX security appliance platform only) Enable LAN-based failover.
hostname(config)# failover lan enable Step 3 Designate the unit as the primary unit.
hostname(config)# failover lan unit primary Step 4 Define the failover interface.
a. Specify the interface to be used as the failover interface.
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3.
b. Assign the active and standby IP address to the failover link.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask.
The failover link IP address and MAC address do not change at failover. The active IP address for the failover link always stays with the primary unit, while the standby IP address stays with the secondary unit.
c. Enable the interface.
hostname(config)# interface phy_if hostname(config-if)# no shutdown
Step 5 (Optional) To enable Stateful Failover, configure the Stateful Failover link.
a. Specify the interface to be used as Stateful Failover link.
hostname(config)# failover link if_name phy_if
Note If the Stateful Failover link uses the failover link or a data interface, then you only need to supply the if_name argument.
The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created
subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link).
b. Assign an active and standby IP address to the Stateful Failover link.
Note If the Stateful Failover link uses the failover link or data interface, skip this step. You have already defined the active and standby IP addresses for the interface.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
The standby IP address must be in the same subnet as the active IP address. You do not need to identify the standby address subnet mask.
The Stateful Failover link IP address and MAC address do not change at failover unless it uses a data interface. The active IP address always stays with the primary unit, while the standby IP address stays with the secondary unit.
c. Enable the interface.
hostname(config)# failover
Step 7 Save the system configuration to Flash memory.
hostname(config)# copy running-config startup-config
Configuring the Secondary Unit
The only configuration required on the secondary unit is for the failover interface. The secondary unit requires these commands to initially communicate with the primary unit. After the primary unit sends its configuration to the secondary unit, the only permanent difference between the two configurations is the failover lan unit command, which identifies each unit as primary or secondary.
For multiple context mode, all steps are performed in the system execution space unless noted otherwise.
To configure the secondary unit, perform the following steps:
Step 1 (PIX security appliance platform only) Enable LAN-based failover.
hostname(config)# failover lan enable
Step 2 Define the failover interface. Use the same settings as you used for the primary unit.
a. Specify the interface to be used as the failover interface.
hostname(config)# failover lan interface if_name phy_if
The if_name argument assigns a name to the interface specified by the phy_if argument.
b. Assign the active and standby IP address to the failover link.
hostname(config)# failover interface ip if_name ip_addr mask standby ip_addr
Note Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit.
c. Enable the interface.
hostname(config)# interface phy_if hostname(config-if)# no shutdown
Step 3 (Optional) Designate this unit as the secondary unit.
hostname(config)# failover lan unit secondary
Note This step is optional because by default units are designated as secondary unless previously configured.
Step 4 Enable failover.
hostname(config)# failover
After you enable failover, the active unit sends the configuration in running memory to the standby unit.
As the configuration synchronizes, the messages “Beginning configuration replication: Sending to mate”
and “End Configuration Replication to mate” appear on the active unit console.
Step 5 After the running configuration has completed replication, save the configuration to Flash memory.
hostname(config)# copy running-config startup-config